An ITC-LMS user pointed out that the following vulnerability was found in ITC-LMS in June 2020. "When a user who has TA authority in a course transitions to another course via some URL after logging in, was able to do some operations that require TA authority even though the user has no authority for that course.”
We have confirmed the vulnerability and asked the vendor to investigate. As a result, the cause was the lack of authority check of the user for each course. We also found that there were other cases where operations were possible in spite of having no authority. We modified the system and most of the modifications, including the most important ones were completed on 14 July. All modifications were finally completed on 15 September.
No practical abuse of the above-mentioned vulnerability were found to have been carried out after checking the operation logs since March 2019 when the current ITC-LMS operation started.
We deeply apologize to all users for any inconvenience that this may have caused, and for the late announcement which was delayed until after we had finished the countermeasures for other websites using the same software.